Four Men Arrested in JPMorgan Chase Bank Hack that Stole 83 Million Accounts

Four men located throughout Florida and Israel have been arrested in relation to the massive 2014 hack against JPMorgan Chase bank, which resulted in the theft of some 76 million customer and 7 million business accounts. News outlets such as the New York Times and Bloomberg cited anonymous sources regard the arrests, not fully explaining the connection between alleged suspects.

The United States Attorney in Manhattan, New York announced on Tuesday that two Florida men were taken into custody and formally charged with operating an unlicensed Bitcoin exchange service, coin[dot]mx. However, the criminal complaint filed makes no reference to JPMorgan Chase.

Alongside the two Americans were two Israelis named Gery Shalon and Ziv Orenstein, who were both arrested by Israeli authorities. Yet a fifth man believed to be connected to the hack, Joshia Samuel Aaron, an American living in Israel, is reportedly still on the run.

The Florida-based duo, Anthony Murgio and Yuri Lebedev, have been formally accused of operating coin.mx while “knowingly exchanged cash for people whom they believed may be engaging in criminal activity,” federal prosecutors said in their criminal complaint. Among a number of other criminal violations, coin.mx has been accused of being a site used to collect bitcoin from ransomware scares.

Malware is constantly evolving online and an older scam that criminals continue to use it the good ol’ ransomware scare. Ransomware is a term for a computer virus that holds your computer hostage for a ransom fee. This type of malware will generally lock the computer and display a screen stating something along the lines of the cops have caught you among other bogus claims, and state you have to pay a certain dollar amount to recover your files.

According to prosecutors, Murgio and Lebedev’s coin.mx site was acting as a middleman for this type of ransomware extortion.

The two continued on to abuse a fraudulent organization, called Collectible Club, and were able to acquire “beneficial control” of an undisclosed, New Jersey-based credit union. Prosecutors said the two used the bank to process electronic payments and described the union as a “captive bank.”

In a newly unsealed criminal complaint, federal prosecutors said the fraudulent group, Collectible Club, appears to have been setup in a way to “trick the major financial institutions through which they operated into believing their unlawful Bitcoin exchange business was simply a members-only association of individuals who discussed, bought, and sold collectable items, such as sports memorabilia.”

From speaking with representatives of the National Credit Union Association and reviewing NCUA records, I learned that while the Credit Union normally handled the modest banking needs of a small group of primarily low-income local residents, and had little or no experience with the business of ACH processing, by October 2014, the Payment Processor was processing over $30 million a month in ACH transactions through its account at the Credit Union. The NCUA learned of the unusual size and scope of the activity and, in part because the Credit Union did not have the AML policies or procedures in place to handle such voluminous payment processing, forced the Credit Union to stop allowing such processing; the NCUA separately required the Credit Union to remove the new Board members.

Murgio also did a terrible job at covering his digital footprint. According to the FBI, the criminal complaint explains that the coin.mx domain was registered under Murgio’s legal name, using his personal e-mail and phone number for contact information.

Likewise, another domain they operation for the Collectible Club, collectpma[dot]com is registered to an individual named Chris Smith. A simple online search reveals the e-mail address used to register the domain is also tied to Anthony Murgio.